EU‑U.S. Data Pri­va­cy Frame­work: ✅ Ade­qua­cy established

The Euro­pean Com­mis­si­on on July 11, 2023 the Ade­qua­cy of the EU‑U.S. Data Pri­va­cy Frame­work. con­firm­ed (Ade­qua­cy reso­lu­ti­on). It has con­clu­ded that the US pro­vi­des an ade­qua­te level of pro­tec­tion for per­so­nal data trans­fer­red from the EU to US com­pa­nies par­ti­ci­pa­ting in the Framework:

Artic­le 1

For the pur­po­se of Artic­le 45 of Regu­la­ti­on (EU) 2016/679, the United Sta­tes ensu­res an ade­qua­te level of pro­tec­tion for per­so­nal data trans­fer­red from the Uni­on to orga­ni­sa­ti­ons in the United Sta­tes that are inclu­ded in the ‘Data Pri­va­cy Frame­work List’., main­tai­ned and made publicly available by the U.S. Depart­ment of Com­mer­ce, in accordance with Sec­tion I.3 of Annex I.

More infor­ma­ti­on can be found on the Com­mis­si­on and Depart­ment of Com­mer­ce websites:

A List of cer­ti­fi­ed com­pa­nies leads the Depart­ment of Com­mer­ce. The reco­gni­ti­on of ade­qua­cy is for cer­ti­fi­ed com­pa­nies imme­dia­te­ly effec­ti­ve.

U.S.-based com­pa­nies can be cer­ti­fi­ed (and annu­al­ly recer­ti­fi­ed) under the Frame­work by agre­e­ing to com­ply with cer­tain pri­va­cy obli­ga­ti­ons, such as pur­po­se limi­ta­ti­on, data mini­mizati­on, sto­rage limi­ta­ti­on, and data secu­ri­ty prin­ci­ples, and third par­ty data sha­ring requi­re­ments. Com­pli­ance with the­se obli­ga­ti­ons is to be audi­ted and enforced by the U.S. Depart­ment of Com­mer­ce and the Fede­ral Trade Commission.

In Switz­er­land, SECO is in cont­act with the U.S. in order to find as quick­ly as pos­si­ble a Swiss vari­ant of the frame­work and to reco­gnize it accor­din­gly. Reco­gni­ti­on will hop­eful­ly take place befo­re the nDSG comes into force. Until then, com­pa­nies must con­ti­n­ue to rely on the SCC.

Howe­ver, in our opi­ni­on they must No Trans­fer Impact Assess­ment (TIA) pro­vi­ded that the reci­pi­ent is cer­ti­fi­ed under the EU-US Frame­work, becau­se the trans­fer to a reci­pi­ent in the EU and from the­re as a onward trans­fer to the USA would also be per­mis­si­ble wit­hout TIA, and the­re is no appa­rent rea­son why a direct trans­fer to the USA – with the same result, albeit on the basis of the SCC – should not be trea­ted in the same way. Howe­ver, this pre­sup­po­ses that the reci­pi­ent con­trac­tual­ly under­ta­kes to com­ply with the Frame­work vis-à-vis the Swiss exporter.

Once the CH-US frame­work is in place, per­so­nal data can be trans­fer­red to cer­ti­fi­ed US reci­pi­en­ts wit­hout the SCC. Howe­ver, a con­trac­tu­al obli­ga­ti­on to main­tain the cer­ti­fi­ca­ti­on is then also recommended.

Aut­ho­ri­ty

Area

Topics

Rela­ted articles

Sub­scri­be